My thoughts and stories relating to privacy, autonomy, human rights, law and the web

There was an error in this gadget

Friday, 14 October 2011

Business and Privacy: Evidence and Assumptions?

I came across a couple of stories yesterday that at first glance appeared unconnected, dealing with difference aspects of the current privacy debates concerning the internet. One comes from one side of the Atlantic, the other from the other. One deals with the 'fight' against piracy, the other with the current favourite of the online advertising industry, behavioural targeting. Very different issues - but they do have something in common: an inherent assumption that business success should take precedence over individual rights and freedoms.

The first issue was the revelation, through a Freedom of Information Request by the admirable Open Rights Group, that the Department of Culture, Media and Sport had no evidence to support their strategies to reduce the infringement of copyright by websites - you can see their report on the issue here.

The second came from my following of the House Energy and Commerce Committee hearing in Washington, about consumer privacy and online behavioural advertising - a hearing at least on the surface intended to consider consumer concerns, but which by the sound of it had a lot more to do with industry putting their case to avoid regulation. I followed on twitter, and remember one particular call from a regular and respected tweeter from the US who demanded evidence before regulation is considered. Specifically, he wanted evidence as to how much of the advertising economy depended on behavioural targeting - the underlying suggestion being, presumably, that we shouldn't regulate if it would have too significant an impact on revenue streams.

There are two different ways to look at the two stories. You can look at them as a reflection of the different attitudes to regulation on the two sides of the Atlantic - in England we're rushing to regulate, while in the US regulation is to be avoided unless absolutely necessary. Alternatively, however, you can look at them as a reflection of the way that business needs are set above individual rights and freedoms.

Copyright and piracy....

The Open Rights Group's request was in relation to the proposals in the Digital Economy Act, but that Act is just one of many measures introduced over the years to combat 'piracy', although the evidence in support of any of them has generally been conspicuous by its absence. That applies both to evidence to suggest that the problem is as bad as the industry suggests and to the efficacy of the measures being proposed to combat it. Does piracy cause a massive loss of revenue to rights holders? Perhaps, but the suggestions over the years that every illegally downloaded song is a lost sale is far from convincing, and the idea that listening to something illegally might even lead to further legal sales seems to have merit too. The massive success of iTunes suggests that carrots rather than sticks might be more effective - indeed, recent reports from Sweden showing that piracy had reduced as Spotify had been introduced adds weight to this idea.

The Open Rights Group's FOI request was about the effectiveness of the proposals - and the DCMS effectively acknowledged that they have no evidence about it. So we have proposals for measures about which there is no evidence, to address an issue about which evidence is scanty to say the least... and yet on that basis we're willing to put restrictions on individuals' freedoms, potentially apply censorship, and even cut off people's internet access as a result. That same internet access that is increasingly regarded as a human right.

The Digital Economy Act is one thing, but there's something else looming on the horizon of even more concern: the Anti-Counterfeiting Trade Agreement (ACTA), whose measures are potentially even more draconian than those in the DEA, and whose scope is even more all-encompassing. The US has already signed it - somewhat against the suggestion that the US prefers not to regulate where possible - and the EU may well sign it soon, though it still needs to pass through the European Parliament, and lobbying of MEPs is underway on both sides.

Behavioural advertising...

Legislation on behavioural advertising has already taken place in Europe, with the notorious 'Cookies Directive', about which I've written before - but the implementation, enforcement and acceptance of that directive has proved troublesome from the outset, and whether it ends up being at all meaningful has yet to be seen. Legislation in the US is what is currently under discussion, and what is being keenly resisted by the advertising industry and others. 'Show us the evidence' is the call - and until that evidence is shown, advertisers should be able to do whatever they want.

Evidence in relation to privacy is a contentious issue in lots of ways. Demonstrating 'harm' from an invasion of privacy is difficult, partly because each individual invasion isn't likely to be significant - particularly in respect of mundane tracking of websites browsed and so forth - and partly because the 'harm' is generally intangible, and far from easily turned into something easily quantifiable. Some people suggest that we should treat our personal information like a commodity, akin in some ways to intellectual property, but for me that fails to capture the real essence of privacy. I don't want to put a 'value' on my personal data, any more than I want to put a value on each of my fingers, or on my relationships with my friends and family. It's something different, and needs protecting as something different. I shouldn't need to prove the 'harm' done by that data being at risk - the loss of it, or loss of control over it, is a harm in itself.

That isn't all - not only does there appear to be an expectation that we should prove harm, but that even if there IS harm, we've got to prove that we wouldn't be damaging the advertisers' businesses too much. If their businesses would be harmed too much, we shouldn't put regulations in place....

Two different situations - but the same assumptions

In the copyright scenario, we're having our freedom restricted and our privacy invaded without real evidence to support what's happening. In the behavioural advertising scenario, we're having our privacy invaded and we're being asked to prove that there's a problem before any restrictions are placed - and, what's more, we're being asked to prove that we wouldn't damage business too much.

In both cases, it's the individuals who lose out. Business takes priority, and individuals rights, particularly in respect of privacy, are overridden. Where businesses perceive there are problems (as in the copyright scenario), they're not asked for proof - but where individuals perceive there are problems, they're asked for proof in ways that are inappropriate and unattainable. Shouldn't the situation be exactly the other way around? Shouldn't individuals' rights be considered above the business models of corporations? Shouldn't the burden of proof work in favour of individuals against businesses, rather than the other way around? Of course that's a difficult argument to make in economically troubled times - but it's an argument that in my opinion needs to be made, and made strongly.

My Website

About Me

Lecturer in Information Technology, Intellectual Property and Media Law at the University of East Anglia - and PhD candidate at the London School of Economics, in the Law Department - with a particular interest in human rights and privacy on the internet.
You can follow me on Twitter: @paulbernalUK